WASABI WALLET: UNFAIRLY PRIVATE

Wasabi is an open-source, non-custodial, privacy focused Bitcoin wallet, that implements trustless coin shuffling with mathematically provable anonymity: Schnorrian CoinJoin, it is the first of its kind.

Let’s buy a coffee!

But before we go into the details. To wake you and me up let’s go buy a cup of coffee. So there we are in the coffee shop and we pay with bitcoin as a result we get back our drink. Meanwhile we are drinking our coffee which is tasty and hot as it meant to be, let’s have a conversation about what happened from the perspective of privacy / security view during the transaction.

It should be quite clear that in the simple act of purchasing coffee you have exposed your personal identity to the cashier. The situation is pretty much the same if you are doing it online because of the Know you customer policy often shortened to ‘KYC ‘ which requires that the merchant collect identifiable information from customers. So the transaction can be connected to you. If you are using your wallet in the same way you are using your credit card you might have exposed your total balance or some part of it. That is not only an uncomfortable feeling but also dangerous. With the input address your past transactions and with the change output address your future transactions are traceable.

Example: the coffee transaction

Wallet leakage

To pay with bitcoin you have to use a wallet maybe a web-wallet or a light-wallet. Most of these wallets are directly tied to a 3rd party server. Every actions you take are forwarded to them if they decide they can easily spy on you. Most of the cases they are holding your private keys too. In the privacy point of view this is the worst you can do. Wasabi is a non-custodial wallet your private key is stored on your side (in an encrypted wallet file) meaning that you have the full control over your bitcoins no third party can freeze or lose your funds.

Last time I used my Coinbase wallet I was required to upload an image of my passport until that my wallet was frozen. They can lock you out until you deanonymize yourself.

In many wallets you can only see the total balance of your wallet. In reality your balance is fragmented into many coins. With this kind of wallets you are not able to choose which coin goes where it is selected automatically. Why it is a problem? You should be aware the history of the coin which will be used for a transaction, where did it come from. With CoinControl feature you can see every coins you have, you can select which will be used. In addition you can use labels to coins when you are sending or receiving and Wasabi will automatically append the labels according to the path of that coin. Basically it is building the history of a particular coin. For example in that way you can avoid to pay with your full salary for that coffee and expose it to the cashier.

CoinControl feature and labeling system

Let’s say you have found a wallet which is fulfilling the mentioned requirements. How can you verify that? The function of a software is determined by the source-code. If you build (compile) your own executable you can be sure it will work according to the code. Wasabi is 100% open-source software so you don’t have to trust in the developers. Even if you cannot verify it by yourself the trust is distributed among the world’s software developers. If there is something fishy in the code, it won’t be hidden for too long.

Bitcoin Network — Nodes

There are Supernodes in the network which collect metadata about the origin of any network traffic. If you are lucky you didn’t bump into any network analysis server, but you likely will in the future.

There is no light wallet that would not fail on the privacy level against network analysis.

With most light wallet, easy to see because mostly it is just querying a web API. For example to determine the total balance you have in your wallet, addresses are queried in the same time from the same source and just connected together.

Jonas Nick has deanonymized a lot of SPV wallets and he said that give me one of your bitcoin address (SPV wallet) and I give back 70 percent of your wallet addresses using heuristic and cluster analysis. That is pretty scary.

These kind of problems can be solved by running a full node which is my recommendation but if you cannot do that because it is resource intensive there is another solution:

BIP158 and BIP157. The idea is instead of requesting addresses you are requesting blocks. In that way an observer cannot tell which addresses are we interested in. With wasabi you have a constant set of filters you get it from some source. The filters are constructed in a way that your wallet can determine which blocks are related. So this is the first light wallet architecture thats truly a light wallet that does not ruin your privacy. Because bitcoin core nodes does not support it yet we have to implement it on our backend. Filters are delivered to the clients through Tor anonymity network and blocks are downloaded from a random node. Bitcoin Core integration: BIP158 is merged but BIP157 is still in progress.

Transaction chain

Bitcoin is often described as an anonymous cryptocurrency, but this is incorrect. Bitcoin is actually pseudonymous. The distinction is crucial: under a cryptographic pseudonym, your behavior can still be tracked.

Transaction chain

At this point many issues have been covered. However one of the most trivial problems remain, that transaction chain is still there and is it traceable. So we have to obfuscate the transaction chain. Let’s try to do some Mixing.

Forever alone mixing

Can you obfuscate the ledger on your own? Well the answer is not really. The problem is that even if you generate a lot of transactions with varying inputs and outputs the begin and the end transaction could be identified. For example if coins come from the same wallet it can be connected together with the help of breadth-first search on the transaction graph. In addition transaction creation could be expensive. The more users there are, the better your privacy.Anonymity loves company.

Forever alone mixing

Traditional mixers

In the past, traditional bitcoin mixers provide centralized way to obfuscate the ledger. The problem is that you have to send your coins into the mixer and they will send back the mixed bitcoin for you if they will… For example: Bitcoin fog worked for years without an issue had a good feedback but later it became a selective scam. You send the money it mixes but if you send a larger amount it will take it so basically it can steal from you. Also it can decide to deanonymize you later if they log which coin mixed to where. Trusted 3rd parties are privacy and security holes.

CoinJoin

Why CoinJoin is good for privacy? It is breaking the link between input and output thus disconnecting the transaction chain.Let’s look at following CoinJoin transaction.

CoinJoin transaction with unequal outputs constructed badly

For the first look it is hard to say which output belongs to which input. But if we take a closer look we can make some assumptions. Imagine that the transaction is written in a format of a Sodoku game, the rows are the inputs, the columns are the outputs. Analyzing the amounts and filling the sodoku can reveal the relationship between inputs and outputs in that way deanonymize the participants. Let’s play a game. Try to deanonymize the users. Output with 1 BTC belongs to Alice because she cannot get back more than she gave. Output with 8 BTC can only can only be owned by Eszter because for the same reason. Bob’s outputs can only be 2 and 4 not other combination gives 6 bitcoins. And so on… The more users are deanonymize the easier to do the rest. If we need mathematically proven anonymity we need to have equal outputs regarding the amounts.

Deanonymized CoinJoin transaction

Similar techniques are amount analysis or subset sum analysis. More sophisticated explanation about CoinJoin Sodoku here. How to construct with mathematically provable anonymity?

Use equal outputs! Look at the following CoinJoin transaction:

CoinJoin with equal outputs — “amount analysis protected”

Set up a fixed denomination of 1 BTC. If there is 4 participants in the CoinJoin then you have a quarter probability to tell who is the original owner of that coin. In this case we are saying that the anonymity set is 4. In the reality nobody will register with the exact amount of the denomination so beside the mixed coin there will be a change which is unmixed. With that amount you can participate in another round meaning that with this particular example if you have 8 bitcoins than you will have 8 rounds to anonymize your total amount. Currently (3/20/2019) Wasabi has ~0.1 denomination and 67 anonymity set per CoinJoin round.

Also made an improvement where some of the change outputs are CoinJoined together if possible, the unequal input mixing extension. With this Wasabi gives more anonymity set for the same fee.

Now this transaction have to be constructed by “something”. Wasabi provides the following solution.

Wasabi coordinator

Basically it works as following:

Client connects to the coordinator (backend — run by Wasabi Team).

Collecting information from clients in an anonymous way.

Construct the CoinJoin transaction and send the unsigned transaction to every client.

On client side the transaction is verified and if it is OK then the client returns their input signature to the coordinator.

After all input signature acquired the coordinator builds the final transaction and broadcasts it to the network.

In that way there is no way to steal someones money so it is a trustless solution.

Coordinator tasks

So, does that mean we are in the clear? Not quite. Unfortunately not because if the coordinator is spying on you it will know a lot to deanonymize you so it is has to be constructed in a way that it cannot deanonymize the participants.

First phase: input registration

So the first phase is when the coordinator waits and collects the users. For example the anonymity set is fifty so it will wait until 50 users are there. Let’s have a closer look how can a user can register.

Alice would like to gain privacy on one of her coins this will be the input. So she selects one or more coins with the CoinControl feature and enqueue them to CoinJoin. Also she generates two additional addresses, one for the mixed coin and another for the change output. Now if she gives output in a plain format the coordinator easily link the input and the output so deanonymize the user. The trick is to blind the output with Schnorr signatures. With this the coordinator cannot see the output address but can sign it and later verify that signature if the output was registered. Small conversation about the security of Schnorr signatures here.

Now the client has a signature for the mixed output address which will be useful later.

Second phase: connection confirmation

Input registration is the longest phase can take minutes to hours depends on user activity. At connection confirmation the coordinator checks that every user is still there.

Third phase: output registration

The client sends the unblinded output.

Output registration: client sends the unblinded output.

Here we have to stop for a while. The communication between the client and the coordinator made through the internet. Wasabi is using Tor anonymity network to increase privacy. Tor basically does two things: hides the source of the traffic and gives end-to-end encryption. At this point nobody on the internet can spy on us BUT! if we would use the same Tor circuit as we used to send the input in the registration phase then the coordinator can link that. So to send the output wasabi uses a different Tor circuit. The coordinator verify the output with the unblinded output signature to make sure it is not a random output from an attacker from the internet.

Wasabi uses more Tor circuit to hide the source from the coordinator.

So now the coordinator has all information to construct the unsigned CoinJoin transaction.

Fourth phase: signing

In signing phase we let the clients verify the constructed CoinJoin. They are verifying if the transaction is valid for example it the outputs are there and the amounts are correct. If something is not correct then client can say that: I do not sign this transaction. So basically there is no way to stole from the users. If it is OK then signature is sent back and added to the transaction.

Final step: acquire the input signatures from the clients.

After every user signed the transaction the coordinator broadcasts it to the nodes.

Final words

Wasabi not only protects your privacy from others but also protects from us. The only person you have to trust in, is yourself!

In reality the procedure is more complex here are some sources about the details: